How I found a way to evade all antivirus products

Hello readers !
These days I was interested about AV evasion and I learned so much about how antivirus software work and here I will write about my technique to evade every AV product .
Many People using Windows think that an Antivirus can stop any Threat and with a AV installed their computer will be secured . This idea is false because advanced Malwares are created everyday without be detected by any Antivirus .

How An Antivirus work ?

An AV has two scanning technique :

– Static analysis also called ‘signature-based analysis’ : The Antivirus product compare the md5/sha1 signature of potential threat with the signature of known malware , and if the signature of program scanned matches with those of known malwares then the program is moved to the quarantine of AV .

– Dynamic analysis also called ‘Runtime analysis’ : Once program executed if he’s not detected by signature , The Antivirus will try to detect malicious actions like decrypting payload in memory and plenty others .

An another type of protection is AV sandbox : when a file is suspected by user to be a malware he can be launched in AV sandbox without internet and without some resources an sandbox is like a docker container in linux , the sandbox can run a file without ‘infecting’ the real system .

What you will need to follow this writeup ?

– A main OS with Metasploit framework installed .
– A Windows virtual machine with an Antivirus software installed ( mine is Kaspersky free 2016 ) and mingw with gcc.exe and Python 2.7 .
In this writeup I will use Metasploit payloads as testing executables to evade AV .

Msfvenom

Msfvenom is the payload generator of Metasploit’s framework , payloads generated by msfvenom are standalone and they are quite good for Pentesting but they are detected by most of AV products ( See the results from a Online AV scanner with a simple meterpreter reverse shell payload ) .

My idea about Antivirus evasion

I have tried many techniques to obtain a FUD executable but none of them worked :

– Writting an metasploit payload encoder in ruby to obfucate the malicious code of the Payload . After some research I realised that the utility of an MSF encoder is to escape bad characters like x00 not to evade AV software .
– Generating the payload in a interpreted language format (like .py .vbs .pl ) then compile it to executable .

Finally , I have a great idea : Since Metasploit python meterpreter payloads I wanted to embed the python payload In C program with Python developpement libraries like Python.h then compile it into an Windows Executable . With this technique I got 1/37 with Nodistribute Online scanner .
I wanted a Fully undetectable result so I tried to create an Malicious Dynamic Library with the Python Payload embedded and finally got an Fully Undetectable payload 🙂

We can check exported functions from the Malicious dynamic library I’ve created !

-shared = tell to gcc that the output will be an dynamic library
-I = tell to gcc where Python.h is located
-o = the output
-L = tell to gcc where the python interpreter library is located
-l = the name of python interpreter lib (libpython27.a)

Portability Problem

We got our malicious dynamic library but the problem is how we can distibute it during an Pentest for example we will need a bat file or an exe to call the malicious dll so how can we distribute the two files ?

Arghhh 1/38 for our standalone executable , but the only AV who detect it is Clamav who is an Unix Antivirus : our payload is for Windows so our Executable is Fully Undetectable !!! If you want an 0/37 you can distribute only the malicious dll and a batch file who call it . Its the end of the article I hope you liked it 🙂

Note: Please do not scan the samples with Online Scanner like Virustotal because they share results to AV and our Payload will not be FUD anymore .